Contact Us

Privacy Policy – Crealytics Retail Media

Last Updated: May 9, 2023

This Privacy Policy provides you with information regarding which personal data we collect when you use our crealytics Retail Media Platform (hereinafter referred to as “Retail Media Platform”) and for what purpose these data are used. You can access this Privacy Policy at any time by visiting our website: crealytics.com/retail-media/privacy-policy

1. Controller/Contact

The controller within the meaning of applicable data protection law is:

crealytics GmbH
Salzufer 12
10587 Berlin
Germany

Telephone: +49 30 609 8381 0

Email: info@crealytics.com

If you have questions or suggestions regarding any data protection matter, you can also write to us via email; our email address is info@crealytics.com You can reach our data protection officer at dataprotection@crealytics.com.

2. The data protected

The data protected are personal data. Article 4(1) GDPR defines personal data as any information relating to an identified or identifiable natural person; this definition includes data such as names and identification numbers.

3. Automated data collection

Whenever you access the Retail Media Platform, your device automatically transmits data for technical reasons. Unless otherwise stated in this Privacy Policy, these data are stored separately from other data, which you may transmit to us under certain circumstances:
• date and time of access, browser type and version;

• IP address.
The data is stored for the following purposes:

• ensuring the security of our IT systems, e.g., to counter specific attacks on our systems and detect attack patterns,

• ensuring proper operation of the Retail Media Platform and our IT systems, e.g. if errors occur that we can only rectify by storing the IP address,

• enabling criminal prosecution, averting of dangers as well as legal prosecution in the event of specific indication of criminal offenses.

Log data and the IP address are stored for a period of 30 days.

Log data are stored for a longer period in the event of specific indication of criminal offenses to enable criminal prosecution as well as legal prosecution in the event of specific indication of criminal offenses. In this case, the data will be deleted when the relevant procedures have been completed.

The processing takes place to ensure the security of processing pursuant to Article 32 GDPR and based on our above-mentioned legitimate interests (Article 6(1)(f) GDPR).

4. Provision of our services / Your Retail Media Platform user account

4.1 Login

To use the Retail Media Platform, you need to login to your user account. To register you for your user account we will process your email address that you or our customer for whom you are working has provided to us to set up your account and send you your initial password. We will then ask you to change the initial password to a password of your choice.

To login to your account, you must provide the following mandatory information:

• Name

• Email address

• Password

For authorisation and authentication, we use the services of Auth0, Inc., 10800 NE 8th Street, Suite 700, Bellevue, WA 98004, United States (“Auth0”). Auth0 processes your personal data on our behalf and in accordance with our instructions (within the meaning of Art 4 No 8, 28 GDPR).

Your data are processed in the United States. There exists no adequacy decision of the EU Commission for the United States. For this reason, we and Auth0 entered into the standard data protection clauses adopted by the EU Commission in accordance with Art 46(2)(c) GDPR.

4.2 Managing your account and providing you with the Retail Media Platform

Further, we will process your personal data, such as your email address and the settings you have applied to manage your account and to provide you with the features of the Retail Media Platform.

4.3 Ensuring proper operation of the Retail Media Platform

In order to ensure proper operation of the Retail Media Platform, we log certain actions you take within the Retail Media Platform (for example, creating and editing campaigns or advertising units). This enables us to monitor any erroneous or unintentional actions which may negatively impact your experience and to quickly resolve any errors. Where appropriate, we may share this information with the Retailer, for example in the case where the Retailer is your main point of contact.

4.4 Legal basis for the processing

The processing is based on Art 6(1)(f) GDPR as we have a legitimate interest in setting up and managing your account in the course of providing our services as well as ensuring proper operation, therewith allowing the performance of the respective contractual relationship with our customers.

We erase your data immediately upon account deletion request.

We further store your personal data in case such data is of legal relevance. The storage takes place based on our legitimate interest, the proper documentation of our business operations and the securing of our legal positions (Art 6(1)(f) GDPR) and, if applicable, for the fulfilment of legal obligations (Art 6(1)(c) GDPR).

5. Support requests

Your support requests are handled using the customer service platform Support Hero, a service provided by Support Hero LLC, 5280 Ivyfarm Rd, Cincinnati, Ohio, 45243, United States (“Support Hero”), which we use as a processor.

Support Hero processes your personal data on our behalf and in accordance with our instructions (within the meaning of Art 4 No 8, 28 GDPR) in the United States. There exists no adequacy decision of the EU Commission for the United States. For this reason, we and Amazon entered into the standard contractual clauses adopted by the EU Commission in accordance with Art 46(2)(c) GDPR.

If you send us a support request through the Retail Media Platform, we process the details regarding the topic of your request as well as any additional information you provide to respond to your request. Along with the message, we receive information about the device, browser, and operating system you are using as well as the URL.

The processing is based on Art 6(1)(f) GDPR as we have a legitimate interest in effectively processing your request and to allow the performance of the respective contractual relationship with our customers.

In the case of requests, which have potential legal relevance, we reserve the right to retain the requests for a period equal to the respective statutes of limitation, that is: three years, commencing as of the end of the year in which we have received your request. Apart from said cases, we erase requests once we no longer need them for the purpose for which we collected them such is the case once we have processed your request completely.

The storage takes place based on our legitimate interest, the proper documentation of our business operations and the securing of our legal positions (Art 6(1)(f) GDPR) and, if applicable, for the fulfilment of legal obligations (Art 6(1)(c) GDPR).

6. Web Host

We operate the Retail Media Platform on the servers of our web host Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland (“Google”). Google process personal data on our behalf and in accordance with our instructions (within the meaning of Art 4 No 8, 28 GDPR).

7. Cookies and similar technologies

We use strictly necessary cookies and similar technologies (such as local storage) allowing us to offer you the features of the Retail Media Platform.

These cookies and similar technologies are strictly necessary for the operation and functionality of the Retail Media Platform. They allow the Retail Media Platform to be accessible and available as they provide essential and basic functionalities.

We use the below listed strictly necessary cookies and similar technologies for the purposes as follows:
These strictly necessary cookies and similar technologies are used without your consent pursuant to Sec 25(2) No 2 German Telemedia and Telecommunication Data Protection Act (“TTDSG”). To the extent that personal data is processed in connection with these cookies and similar technologies, such processing is carried out for the above-mentioned purposes and legitimate interests, necessary for the Retail Media Platform to be accessible and available to you, Art 6(1)(f) GDPR.

8. Sharing data

Unless otherwise specified in this Privacy Policy, your personal data will be shared without your prior consent only in the cases specified below:

8.1

If necessary, for purposes of investigating the unlawful use of our services or for purposes of establishing our rights, personal data will be shared with law enforcement agencies and, where applicable, with injured third parties. Personal data will be shared, however, only if specific evidence exists, which is indicative of illicit or abusive conduct. Personal data can also be shared, when sharing that data serves to enforce terms of use or other agreements. Furthermore, we are required by law to provide information to certain public agencies. These include law enforcement agencies, government authorities that prosecute misdemeanours subject to fines, and fiscal authorities.

Personal data will be shared not only on the basis of the legitimate interest we have in combatting abuse; in prosecuting crimes; and in securing, establishing, and enforcing claims, Art 6(1)(f) GDPR, but also on the basis of a statutory obligation, as contemplated by Art 6(1)(c) GDPR.

8.2

We disclose personal data to auditors, accounting service providers, lawyers, banks, tax consultants and similar bodies insofar as this is necessary for the provision of our services (Art 6(1)(b) GDPR) or the proper operation of our business (Art 6(1)(f) GDPR) or we are obliged to do so (Art 6(1)(c) GDPR).

8.3

In providing our services, we rely on third-party undertakings and outside service providers (“Processors”), each bound by contracts. In these cases, personal data are shared with these Processors for further processing. These Processors are carefully selected by us and audited at regular intervals in order to ensure that your rights and freedoms are preserved. Processors may use the data only for the purposes specified by us and are also required by contract to handle your data only in compliance with this Privacy Policy and with applicable data protection law.

Data are shared with Processors on the basis of Art 28(1) GDPR, alternatively on the basis of the legitimate interest we have in the economic and technical benefits associated with the engagement of specialized Processors, Art 6(1)(f) GDPR. Beyond the Processers already specified in this Privacy Policy, we engage the following categories of Processers:

  • IT service provider
  • Cloud service provider
  • Hosting service provider
  • Software service provider

If you do not wish that we store data in your local storage, you can configure your end device accordingly. Please note that in this case the functionalities of the Search Platform may no longer be available to you or only to a limited extent.

8.4

In the course of developing our business, it is possible that the structure of crealytics GmbH will be changed, by changing its legal form; by establishing, selling, or buying subsidiaries or business divisions. In the event of such transactions, customer information will be passed on, together with any portion of the business to be transferred. In the event personal data are shared with third parties within the scope described above, we shall ensure that those data are shared in accordance with this Privacy Policy and with applicable data protection law.

Sharing personal data is justified on the grounds that we have a legitimate interest in changing the form of our undertaking to align, whenever necessary, with the economic and legal particularities on the ground, Art 6(1)(f) GDPR.

9. Transfer to third countries

We also process data in countries outside the European Economic Area (“EEA”), in so-called third countries, and/or transfer data to recipients in these third countries. The foregoing also includes the United States. Please note that, at present, there exists no adequacy decision of the EU Commission; that, in general, these third countries have an adequate level of data protection. In particular, there exists, at present, no adequacy decision of the EU Commission for the United States. Where we transfer personal data outside of the EEA, we will ensure one of the following requirements is fulfilled:

  • the transfer is to a third country which has an adequacy decision by the EU Commission, Art 45 GDPR;
  • the transfer is covered by a contractual agreement, which covers the GDPR requirements relating to transfers to third countries, in particular standard contractual clauses (or also called standard data protection clauses) pursuant to Art 46(2)(c) GDPR adopted by the EU Commission extended by additional safeguards according to the European Court of Justice findings in Schrems-II.

You can request further details about the safeguards that we have implemented, including, where applicable a copy of the standard contractual clauses by contacting us using our contact details provided in Section 1 above.

10. Changes in purpose

Your personal data will be processed for purposes other than those described only to the extent such is permitted by law or to the extent to which you have given your consent that your data can be processed for the purpose so changed. In the event your data are processed for purposes other than those for which the data were originally collected, but before those data are so processed, we will inform you of such other purposes and provide you with all further information material to such purpose(s).

11. Erasure of your data

As a general rule, we erase your personal data once they are no longer needed for the purposes for which we have collected or processed them in accordance with this privacy policy.

Further storage of your personal data only occurs to the extent:

  • that we are bound by law to retain your data, Art 6(1)(c) GDPR. In particular, statutory rules and regulations governing storage of data can arise from the retention periods contemplated by the Handelsgesetzbuch (Commercial Code) or by the Abgabenordnung (German Fiscal Code). The retention periods contemplated by these statutes are usually between 6 and 10 years.
  • to the extent the data is required for criminal prosecution or for the establishment, exercise or defense of legal claims. Therein also lies our legitimate interest, Art 6(1)(f) GDPR. In these constellations, we will store your personal data until the corresponding process has been completed, plus the statutory period of limitation.

In these cases, the processing of your data is restricted. The data is then no longer available for further use.

12. Providing your personal data

Neither by law nor by contract are you required to provide your personal data.

To some extent, however, it is necessary that you provide personal data, so that we can provide you with our services and the features available on our Retail Media Platform. In particular, it is necessary that you provide your personal data, so that we can create and manage your user account for the Retail Media Platform and take into receipt and process any requests you send to us.

Wherever it is necessary for you to provide certain data, we have identified that data by making it a required field. Providing further data is voluntary. The consequence of not providing required data is that we will be unable to provide the relevant services and features, including, but not limited to, our inability to create or manage your account and to take into receipt and to process your requests.

Where voluntary information is concerned, the consequence of not providing such information will be that we will be unable to provide the relevant features and services or that we will be unable to provide them as they are intended to be provided.

13. Automated individual decisions or profiling measures

We do not use automated processing processes to make decisions, including profiling.

14. Your rights as data subject

14.1 Right of access

Within the scope of Art 15 GDPR and Sec 34 BDSG, you have the right to obtain from us, at any time you request, access to the personal data concerning you. To exercise this right, you can submit your request by mail or via email by using the address given in Section 1 above.

14.2 Right to rectify inaccurate data

You have the right to obtain from us without undue delay the rectification of any inaccurate personal data concerning you. To exercise this right, please use the contact address specified in Section 1 above.

14.3 Right to erasure

Given the prerequisites described in Art 17 GDPR and Sec 35 BDSG, you have the right to obtain from us the erasure of personal data concerning you. In particular, these prerequisites prescribe a right of erasure, whenever the personal data are no longer necessary in relation to the purposes for which they were collected or otherwise processed as well as in cases of unlawful processing, of the existence of an objection, or in case the data have to be erased for compliance with a legal obligation under European Union law or the law of any Member State, to which we are subject. To exercise your right set out in the foregoing, please use the contact address specified in Section 1 above.

14.4 Right to restriction of processing

Under Art 18 GDPR, you have the right to obtain from us the restriction of processing. This right exists in cases including, but not limited to, those in which the accuracy of the personal data is contested between you and us, for the period required to verify the accuracy, as well as in case you have a right to erasure, but request a restriction of processing instead of erasure; further in case the data are no longer necessary for the purposes pursued by us, but you need them to establish, to exercise, or to defend against legal claims, as well as if the successful exercise of an objection remains contested between us. To exercise your right as set out above, please use the contact address specified in Section 1 above.

14.5 Right to data portability

Under Art 20 GDPR, you have the right to receive from us the personal data concerning you, which you have provided to us, in a structured, commonly used, and machine-readable format. To exercise your right as set out above, please use the contact address specified in Section 1 above.

14.6 Right to object

Under Article 21 GDPR, you have the right to object, on grounds relating to your particular situation, at any time to processing of personal data concerning you which, inter alia, is based on point (e) or (f) of Article 6(1). We shall no longer process your personal data, unless we demonstrate compelling legitimate grounds for the processing which override your interests, rights, and freedoms or for the establishment, exercise, or defense of legal claims.

To the extent we process personal data concerning you for direct marketing purposes, including profiling, you have the right to object to such processing. Once you object, we will stop such processing.

Unless otherwise specified in this Privacy Policy, please use the contact address specified in Section 1 to exercise your right, as set out above.

14.7 Right to lodge a complaint

You have the right to lodge a complaint with a supervisory authority of your choice.

14.8 Data processed when you exercise your rights

Finally, we advise that we process the personal data transmitted by you, when you exercise your rights under Articles 15 through 22 GDPR, not only for the purpose of complying with these rights, but also so that we can demonstrate such compliance. This processing is based upon the legal basis of Article 6(1)(c) GDPR in conjunction with Articles 15 through 22 GDPR and § 34(2) BDSG.

Solutions
Resources
Company
Support

Privacy Policy (Search Platform)

Privacy Policy (Retail Media Platform)